| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 May 2024 18:21:23 +0800
From: quic_zijuhu <quic_zijuhu@...cinc.com>
To: Greg KH <gregkh@...uxfoundation.org>
CC: Dmitry Torokhov <dmitry.torokhov@...il.com>, <rafael@...nel.org>,
<akpm@...ux-foundation.org>, <linux-kernel@...r.kernel.org>,
<stable@...r.kernel.org>
Subject: Re: [PATCH v2] kobject_uevent: Fix OOB access within
zap_modalias_env()
On 5/29/2024 6:17 PM, Greg KH wrote:
> On Wed, May 29, 2024 at 06:07:06PM +0800, quic_zijuhu wrote:
>> On 5/29/2024 2:56 AM, Dmitry Torokhov wrote:
>>> On Tue, May 28, 2024 at 11:19:07AM +0800, Zijun Hu wrote:
>>>> zap_modalias_env() wrongly calculates size of memory block to move, so
>>>> will cause OOB memory access issue if variable MODALIAS is not the last
>>>> one within its @env parameter, fixed by correcting size to memmove.
>>>>
>>>> Fixes: 9b3fa47d4a76 ("kobject: fix suppressing modalias in uevents delivered over netlink")
>>>> Cc: stable@...r.kernel.org
>>>> Signed-off-by: Zijun Hu <quic_zijuhu@...cinc.com>
>>>> ---
>>>> V1 -> V2: Correct commit messages and add inline comments
>>>>
>>>> V1 discussion link:
>>>> https://lore.kernel.org/lkml/0b916393-eb39-4467-9c99-ac1bc9746512@quicinc.com/T/#m8d80165294640dbac72f5c48d14b7ca4f097b5c7
>>>>
>>>> lib/kobject_uevent.c | 17 ++++++++++++++++-
>>>> 1 file changed, 16 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c
>>>> index 03b427e2707e..f22366be020c 100644
>>>> --- a/lib/kobject_uevent.c
>>>> +++ b/lib/kobject_uevent.c
>>>> @@ -433,8 +433,23 @@ static void zap_modalias_env(struct kobj_uevent_env *env)
>>>> len = strlen(env->envp[i]) + 1;
>>>>
>>>> if (i != env->envp_idx - 1) {
>>>> + /* @env->envp[] contains pointers to @env->buf[]
>>>> + * with @env->buflen elements, and we want to
>>>> + * remove variable MODALIAS pointed by
>>>> + * @env->envp[i] with length @len as shown below:
>>>> + *
>>>> + * 0 @env->buf[] @env->buflen
>>>> + * ----------------------------------------
>>>> + * ^ ^ ^
>>>> + * |-> @len <-| target block |
>>>> + * @env->envp[i] @env->envp[i+1]
>>>> + *
>>>> + * so the "target block" indicated above is moved
>>>> + * backward by @len, and its right size is
>>>> + * (@env->buf + @env->buflen - @env->envp[i + 1]).
>>>> + */
>>>> memmove(env->envp[i], env->envp[i + 1],
>>>> - env->buflen - len);
>>>> + env->buf + env->buflen - env->envp[i + 1]);
>>>
>>> Thank you for noticing this, it is indeed a bug.
>>>
>>> I wonder if this would not be expressed better as:
>>>
>>> tail_len = env->buflen - (env->envp[i + 1] - env->envp[0]);
>>> memmove(env->envp[i], env->envp[i + 1], tail_len);
>>>
>>> and we would not need the large comment.
>>>
>> Greg KH suggests add inline comments since my fix is not obvious with
>> first glance, let us wait for his comments within 2 days about below
>> question:
>> is it okay to remove those inline comments if block size to move is
>> changed to env->buflen - (env->envp[i + 1] - env->envp[0]) ?
>
> I'm all for making this simpler, please do so as Dmitry's response looks
> better and easier to understand, don't you think?
>
> And add comments, they are always good here for stuff like this :)
>
okay, will send v3 to take Dmitry's suggestion and keep inline comments.
> thanks,
>
> greg k-h
Powered by blists - more mailing lists